Every day I experience life in the world of healthcare IT, supporting 3000 doctors, 18000 faculty, and 3 million patients. In this blog I record my experiences with infrastructure, applications, policies, management, and governance as well as muse on such topics such as reducing our carbon footprint, standardizing data in healthcare, and living life to its fullest.

Monday, December 31, 2012

It's the time of year that many writers reflect on the major events of the past 365 days. I'll let the journalists cover the impact of the election, the epidemic of senseless violence, and the scandals of infidelity.

To me, there were 5 major healthcare IT events in 2012 that we need to recognize and celebrate:

1. EHR adoption became unstoppable - In 2010, the Beth Israel Deaconess Physician's Organization changed its bylaws to require a certified EHR as a condition of practice. Even in 2010 this was controversial and we had long discussions about exceptions for specialists and grandfather clauses for early adopters of EHRs which lacked the interoperability we required. In 2012, any such discussion became moot. 90% of our entire community of affiliated clinicians have attested to meaningful use. As Beth Israel Deaconess expands its accountable care organization, one of the first questions asked by potential partners is the IT integration strategy. In every community I visit in the US, clinicians are speaking about their EHR experiences. Initial implementations were often challenging, but I've not found a clinician who wants to revert to a paper world.

2. Health Information Exchange became real - In Massachusetts and many other state states, communities are exchanging data for care coordination and population health. Unambiguous transport, content, and vocabulary standards have taken the guesswork out of health information exchanges. Although technical issues have been solved, there are remaining business sustainability issues for some HIEs, but several have found that stakeholders will pay for data sharing from the money saved through cost avoidance as new business processes are enabled.

3. Standards harmonization became a process instead of an emotional debate - Having been involved in standards making. implementation guide writing, and regulation formation for the past decade, I can say that 2012 was a year in which creating/choosing standards become a well defined public/private process without any of the religious wars of the past such as "my XML is better than your XML". Each time there was a question to be answered, experts came together using a common process and either produced a definitive answer or concluded that existing standards were not sufficiently mature for adoption, encouraging the marketplace to experiment with novel approaches. For example, Massachusetts designed a very simple SOAP-based query/response approach to provide directories.

4. Patient and family engagement went mainstream - In 1999 when Beth Israel Deaconess launched Patientsite, it was considered very controversial to provide patients view/access/download to electronic health records. In 2010 when we added the full text notes created by clinicians, the myths about straining the physician/patient relationship with too much transparency still persisted. In 2012, it is now part of the Beth Israel Deaconess medical staff bylaws that clinicians share all electronic data with patients.

5. Privacy and Security in healthcare began the journey to maturity - As I've written previously healthcare has traditionally under-invested in the processes, procedures, and documentation needed to create a mature security program. Just as strong enforcement by the Securities and Exchange Commission created a culture of compliance that led us to trust in the integrity of the stock market, so does strong enforcement of HIPAA motivate hospitals and professionals to create a culture of security. Every healthcare CIO I speak with confirms that 2012 was a year in which security projects became their top priority.

Of course there were other trends in 2012 - every vendor developed a cloud strategy, clinicians went increasingly mobile, and tablets became the new desktop. Meaningful Use Stage 2 gave us a roadmap for the work of the next year. ICD10 was delayed until October 1, 2014.

Overall, life as a CIO also changed.

As a CIO in 1998, I wrote code and architected web infrastructure. As a CIO in 2012, I focused on change management, governance, budgets, developing the next generation of IT leaders, and communication. Although I have changed in the past 15 years, the healthcare IT industry itself has matured and the nature of being a CIO in 2012 requires a skill set beyond mastery of technology. As we approach 2013, I will again strive to maintain my equanimity, empower my stakeholders to select those IT priorities which best meet their requirements, and avoid becoming the rate limiting step in any process. 2013 will be a year with many important projects and a new set of regulatory requirements, but in many ways I think 2013 will be more about getting projects done and less about managing the disruption of change. 2012 set the course and we're all headed to a great future. Now we just have to do the work that will get us there.

Tuesday, December 25, 2012

Monday, December 24, 2012

It's Christmas Eve and we're gathered around the hearth at our farm awaiting the Christmas snowfall that is forecast tonight for New England.

I've split logs from an oak tree that blew over during Hurricane Sandy and cut thin flakes from an old cedar tree that fell at the edge of our pasture. The cedar's oils pop and crackle in the fire, so I only use small pieces at a time. The room is filled with the scents of the balsam fir Christmas tree, the smoky sweetness of burning oak/cedar, and an apple crisp made from the orchard next door.

The animals are tucked in for the evening. The chickens and guinea fowl are roosting in the rafters of their coop, near the warming panels we installed for sub-freezing nights like tonight.

The dogs are curled up together in the hayloft after a day of running and rolling in the sunny pasture.

The alpacas and llama are sitting under the ice-ringed moon with their legs tucked under their bodies. They only sleep in the barn on windy or rainy nights.

The forest is still and the only sounds that echo through the rolling hills are twigs snapped by wandering deer, the quiet hum of wild turkeys in the pine trees above the paddocks, and the whistle of a distant train.

To me, Christmas is a state of mind - a sense that for a day or two the anxieties and conflicts of the world can be set aside so families can revel in the positive aspects of the past year and the anticipation of good things to come.

2012 was a turbulent time for us with family health issues, a pace of healthcare IT projects that exceeded any previous year, and many transitions as we sold our home/my father in law's home, closed Kathy's studio/gallery, and consolidated everything to Unity farm.

As we approach the end of the year, there are undone tasks and unresolved challenges. Some define anxiety as a feeling of fear and concern about the unknown. On Christmas Eve, I know that for every future setback there will be a process to make it better. There's no reason to worry today about what might or might not be.

Especially today I'm willing to put aside every negative memory or emotion and focus on the overall path for 2012 which has been overwhelmingly positive.

My wife is cancer free and enjoying every day in her new role as farmer's wife (no blind mice or carving knives involved)

My daughter has a new sense of independence after becoming a confident driver and taking on responsibility for all aspects of her personal life. Mom and Dad are always available to provide assistance and advice, but we're a safety net not a guiding force.

My parents are steadily improving after a year of several health issues. They openly discuss all the possibilities for the future and the stepwise path to ensure they have the highest quality of life possible.

My colleagues in all my IT worlds - international, Federal, State, and BIDMC continue to a make a difference every day by improving the quality, safety, and efficiency of patient care.

My own health, mental and physical, is the best it has ever been and I feel a great sense of well being.

May you all have a holiday season with the nurturing joy and love of the season, taking in the sights, smells, and emotions that remind us of all of the good things this world has to offer.

Thursday, December 20, 2012

I recently spoke with the owner of a 200 acre farm where he and his wife run a CSA, breed goats, and raise cattle. As a vegan, I'm always interested in how farmers who raise livestock for meat address the issue of the emotional bond between the caregivers and the animals.

One common theme I've heard is that farmers and their families do not name animals they intend to sell or process for meat. It's really awkward to respond to a child's innocent "what's for dinner question" with an answer like "Spot" or "Buddy".

As vegan/vegetarian farm, we have no plans to eat any of our animals and each of them is named for their unique personal characteristics.

Our llama is named "Black Orchid" because of her dark fur and elegance.

Our female alpaca are:
Mocha - she's a chocolate brown color and always interested in delectable foods
Daisy Mae - she's sweet, petite, and good natured
Ella Mae - she's the kind hearted mom of Daisy
Tinkerbell - she's light on her feet and always dashing about
Persia - she has alluring eyes and dark luxuriant lashes that make her look like a mysterious female from the East

Our chickens are:
Sunny - she's our gold colored buff orpington
Chocobo - she's named after a character in "Final Fantasy" that looks like a yellow/gold chicken, perfect for a buff orpington
Midnight - she's our jet black Jersey Giant who is highest on the pecking order
Pingu - her name Japanese for "penguin" which is fitting for a black Jersey Giant with a touch of white
Snow - she's our white, fluffy Brahma
Velma - she's our smartest chicken, a Brahma, who is named for the Scooby Doo character Velma Dinkley
Chipmonk - she's our Ameracauna with stripped coloring just like a chipmunk
Zephyr - she's our breezy barnyard Ameracauna wanderer who is always running from one place to another
Clover - she's our white Ameracauna who enjoys rolling in the grass
Silver - she's our shimmering white Ameracauna with a heavy, thick neck
Terra -she's our first egg layer who enjoys her earthy dust baths
Rainbow - he's our multicolored Ameracauna rooster
Lucky - he's our rescued rooster who now spends his day in the company of 11 female chickens instead of being prepared for Sunday dinner

Our Great Pyrenees Mountain dogs are Bundle and Shiro. Our cat is Lily and we may adopt two rescue cats - Toby and Blessings.

Admittedly the Guinea Fowl are hard to identify separately because they are all genetically related. We do have 2 whites, 7 blacks, and 9 grays. One of the blacks is Piebald.

Whenever I'm running through an airport (most are vegan food deserts), I'm often presented with food choices like chicken caesar or some kind of poultry nugget. Not only does my commitment to veganism keep me from such foods, but the thought of eating Sunny, Chipmonk or Lucky is unconscionable.

Naming the animals is one of the great pleasures of life on the farm. Every day when I'm moving hay, filling water, and shoveling manure, I can address everyone by name, wishing them good morning or offering words of encouragement.

Wednesday, December 19, 2012

The December HIT Standards Committee focused on the reality of implementing the Meaningful Use Stage 2 Standards and Certification rule in the real world of hospitals, clinician offices, and healthcare information exchanges.

First, Liz Johnson and Cris Ross provided a detailed review of the 7 waves of certification test scripts. We discussed several recommendations to clarify and streamline the testing process. In early 2013, the implementation workgroup will complete clinical scenarios to be used by certification bodies. In February 2013 the workgroup will host public hearings to solicit feedback. BIDMC has offered itself as a site to pilot these scripts. The goal is to produce final and piloted scripts in the Spring of 2013, aligning with the timing of vendor product releases and their readiness for Meaningful Use Stage 2 certification.

Next, Dixie Baker presented an excellent summary of the recent hearings on Trusted Identity of Patients in Cyberspace. She defined the essential terms - identity management and authentication then emphasized their importance in the patient/family engagement provisions of meaningful use stage 2.

Dixie also presented the Privacy and Security Workgroup Recommendations on the security certification for modular EHRs. I speak with the press frequently and some reporters have noted that the current meaningful use stage 2 rules may reduce overall security by not requiring formal certification criteria or documentation that would assure the "sum of the modular parts" is appropriately secure. Dixie's recommendations address this concern by offering 3 security certification options for modular EHRs

Jamie Ferguson and Betsy Humphreys presented the need to use Current Dental Terminology (CDT) for specific quality measures that require structured information about dental procedures. The committee supported this by consensus as long as the wording of the recommendation only requires CDT for EHRs that calculate specific dental quality measures.

I've written about some of these themes in previous posts and each has their uncharted territory.

One component that crosses several of my goals is how electronic documentation should support structured data capture for ICD10 and ACO quality metrics.

How are most inpatient progress notes documented in hospitals today? The intern writes a note that is often copied by the resident which is often copied by the attending which informs the consultants who may not agree with content. The chart is a largely unreadable and sometimes questionably useful document created via individual contributions and not by the consensus of the care team. The content is sometimes typed, sometimes dictated, sometimes templated, and sometimes cut/pasted. There must be a better way.

I recently attended a two day retreat to brainstorm about novel approaches to clinical documentation.

Imagine the following - the entire care team jointly authors a daily note for each patient using a novel application inspired by Wikipedia editing and Facebook communication. Data is captured using disease specific templates to ensure appropriate quality indicators are recorded. At the end of each day, the primary physician responsible for the patient's care signs the note on behalf of the care team and the note is locked. Gone are the "chart wars", redundant statements, and miscommunication among team members. As the note is signed, key concepts described in the note are codified in SNOMED-CT. The SNOMED-CT concepts are reduced to a selection of suggested ICD-10 billing codes. A rules engine reports back to the clinician where additional detail is needed to justify each ICD-10 code i.e. a fracture must have the specifics of right/left, distal/proximal, open/closed, simple/comminuted.

You can imagine that the moving parts I've described are modular components provided by different companies via cloud hosted web services (similar to the decision support service provider idea)

We've been speaking industry leaders such as m*modal, 3M, and Optum about these ideas.

Early adopters including Kaiser, Geisinger and Mayo are already working on elements of this approach.

However, there are challenges.

1. Clinicians are not broadly trained in the use of SNOMED-CT. It may be that SNOMED-CT should be used for internal storage of structured data but only friendly plain text descriptions are displayed to users.

2. Will CMS, the Joint Commission, and malpractice insurers accept the concept of jointly authored care team notes?

3. Implementing all 5 applications/modules at once may be too much change too quickly, making the overall project high risk

5. Will companies be willing to create such modules/services at a time when few EHRs are likely to interface to them? As Meaningful Use Stage 3 is finalized, I expect some of this functionality to be required

We have 22 months before ICD-10 compliance is required and complete documentation in support of the new codes must be available. We need to work fast. Tomorrow we have an internal conference call to plan next steps - what module or modules do we work on first? We have companies interested in partnering with us on Modules 2 and 3. The National Library of Medicine's VSAC is developing module 4.

I welcome your advice - have you discovered emerging products that might be useful for our exploration?

Have you considered how to take your clinical documentation to the next level?

Monday, December 17, 2012

Last Wednesday I was in Washington DC speaking at the ONC annual meeting and the speaker who preceded me was Leon Rodriguez, Director of the Office of Civil Rights. On Thursday, I was in Boston speaking at the HIMSS Privacy and Security Forum and the speaker who preceded me was Leon Rodriguez. Now that Leon and I are doing roadshows together, I have a broader understanding of the privacy and security enforcement goals of the Obama administration.

In the past, as an operational CIO, an academic studying approaches to healthcare information exchange, and as co-chair of the HIT Standards Committee, I've focused on security technology (FIPS 140 encryption, ASTM audit trail standards, two factor authentication, remote access, intrusion detection, zero day defense etc.) and the enabling policies that support best practices.

While this has been effective, as measured by downtime, breaches of devices under IT control, and a balance between ease of use/access restriction, the entire healthcare industry is still on a journey toward security program maturity.

What do I mean?

A mature program uses a framework such as NIST 800 to serve as rubric for stakeholder analysis of risk. Such a framework ensures that stakeholders consider all the elements of risk and not just the ones that are top of mind for experts in the room. Risks can be physical security, mobile devices, human factors including staffing levels that concentrate expertise in too few people, configuration policies, and timeliness of audit log reviews. In the past, many CIOs in healthcare have been given enough security staff to support operations but not enough staff to create the processes, policies, and documentation that reflect a mature, optimized program.

If you take a look at Leon's slides, you'll see that the Office of Civil Rights wants to ensure organizations have done a thorough risk analysis. I would recommend doing this yearly. Once the risk analysis is done, stakeholders including Boards and senior management should prioritize risk, develop mitigation action plans, and document their decisions.

Leon and the OCR understand that breaches can occur in effective and mature security programs i.e. no technology can stop an authorized user from using a digital camera to take a photo of protected healthcare information on a computer screen then sharing that photo inappropriately.

OCR wants to ensure organizations have created a culture of compliance that goes beyond security technologies. It includes education, incident responses, and documented discussion that demonstrate an organization and its staff consider security and privacy as part of their duty and daily work lives.

Leon made very thoughtful comments at both venues. Although the press has called the HHS log of reported privacy breaches the "Wall of Shame", Leon does not use this term. A breach is investigated to ensure that the right processes were in place at the affected organization to mitigate risk. The findings are used to educate the entire industry. Fines are issued when organizations did not follow the compliance requirements of HIPAA and HITECH, not because of the breach itself.

My take away from this is that all IT organizations should spend the next few years adding polish to their policies, procedures, documentation, education, and process efforts. BIDMC has embraced NIST 800 for this effort and thus far it is going well.

A final thought. This work takes resources, both capital and operating. However, Boards and senior management are likely to be receptive to security resource requests in 2013, since the cost of non-compliance can easily exceed the cost of the additional people needed to create a mature security program.

Thursday, December 13, 2012

As I've mentioned in previous posts, our male alpacas are guarded by two Great Pyrenees Mountain dogs, Bundle (a one year old female) and Shiro (a 6 month old male). Bundle is 70 pounds and not likely to grow much more. Shiro is 70 pounds and likely to grow to 100 pounds.

At the farm, we have a routine. In the early morning, when we do chores (stock the hay feeders, fill water buckets, haul manure etc.) we give the dogs breakfast biscuits. Great Pyrenees tend to guard their food, so the dogs carry their treats to opposite ends of the paddock and savor them. As we finish the chores, I ask Bundle to get her leash (it's sometimes a favorite tug of war toy for the dogs) and we run a few miles on surrounding trails. Bundle is very interested in finding deer, wild turkeys, and small mammals. Shiro is more interested in following Bundle then stealthily jumping on her when she least expects it. Since Shiro goes where Bundle goes, he does not need a leash at this point in his life (although mature male Great Pyrenees tend to wander).

I've cut 3 trails through the woodland - the Orchard trail, the Old Cart Path (used in Colonial days), and the Marsh trail. The dogs run as fast as they can along the Orchard trail and up the stairs I've built in an old rock wall to access the neighboring 55 acre orchard where they can play in the grass, roll down hills, and enjoy all the interesting plant/animal smells they discover between the old apple trees.

After a run around the orchard, we return to the Orchard trail and run back to paddock. Great Pyrenees tend to sleep during the day and guard at night when predators are most active. After their run, the dogs fall asleep under the hay feeder or in the hay loft. They never seem to mind the cold since they have a double coat of insulating fur. Bundle would rather stay dry but Shiro enjoys digging in the mud before sleep. It's puppy heaven.

Before evening chores, we run the Old Cart Path, often finding the 30 wild turkeys that roost in pine trees above our stream. In the longer days of Summer and Fall, Bundle and Shiro enjoy a few minutes of tumbling together in the tall grass of the pasture before heading back to the paddock. While we are cleaning the barnyard and replenishing food/water/minerals for all the animals, the dogs eat dinner in separate areas of the barn to avoid any squabbling over food. Although our farm is entirely vegetarian/vegan, the dogs eat an appropriate diet for an omnivore. Although it is possible, I would not recommend a vegan diet for dogs and cats.

After all the animals are secured and settled for the night, my wife and I return to the house to prepare our own dinner. The dogs begin the vigilant watch of the barn yard.

Two dogs, a 300 pound llama and a 5 foot electric fence has proven to be an effective deterrent for the coyotes, fisher cats, and foxes in our forest.

Whenever a predator threatens, the dogs bark at it wildly, raising an alarm. When I hear them, I venture out to the paddock to ensure all is well. The dogs great me as if they have not seen me in years. They can never be petted enough. Both dogs are incredibly strong and try to tackle me to the ground in play.

On the rare occasions that I must discipline the dogs (See The Guinea Fowl Who Lost His Mojo)
they are genuinely upset by the disapproval of their pack leaders (the humans). They sulk and beg forgiveness.

At any time of day or night, with fair and foul weather, in any situation, the dogs give their love unconditionally.

Bundle and Shiro are always happy to serve, eager to play, and thankful for a rub behind the ears. They seek approval and take their alpaca guarding work very seriously.

They look forward to the daily rituals we've developed and definitely feel a loss when my schedule breaks the pattern (going to Washington DC at 4am conflicts with the morning run)

We have affection for all the citizens of Unity Farm, but the unconditional love of dogs creates a special bond for us. I look forward to sharing the next decade of our lives together.

Wednesday, December 12, 2012

Today I'm speaking at the ONC annual meeting as part of panel discussing interoperability.

For years, patients, providers and payers have complained that EHRs "do not talk to each other"

By 2014, I expect this issue to disappear.

Why?

Do I expect that every state and territory will have a robust, sustainable healthcare information exchange by 2014? No

Do I expect that every provider will be connected to a Nationwide Health Information Network by 2014? No

Do I expect that a single vendor will create a centrally hosted method to share data by 2014 just as Sabre did for the airline industry in the 1960's? No

What I expect is that Meaningful Use Stage 2 will provide the technology, policy, and incentives to make interoperability real.

Stage 2 requires that providers demonstrate, in production, the exchange of clinical care summaries for 10% of their patient encounters during the reporting period. The application and infrastructure investment necessary to support 10% is not much different than 100%. The 10% requirement will bring most professionals and hospitals to the tipping point where information exchange will be implemented at scale, rapidly accelerating data liquidity.

Stage 2 requires that more than 5 percent of patients with inpatient or outpatient encounters (or their authorized representatives) to view, download or transmit to a third party their information during the EHR reporting period. The Automate Blue Button initiative is an example of this functionality. It puts the patient in control by enabling query/response or publish/subscribe retrieval of care summary data from EHRs. Just as the 10% threshold for exchange of summaries between providers will encourage technology and policy implementation, the 5% threshold for patient-provider exchange means that software, educational materials and processes will be put in place to engage patient and families in novel ways. If not, hospitals and professionals will not qualify for stimulus dollars.

A subtle point in the final rule that some may overlook is the statement above "patients (or their authorized representative)". The Social Security Administrative, with patient consent, could act as an authorized representative and retrieve medical history in support of disability claims. Innovative third parties offering consumer oriented decision support, care management services, or home health might act as authorized representatives. The patient access provisions will create an ecosystem of products - an app store for health.

The standards included in Meaningful Use Stage 2 are unambiguous. Content, vocabulary, and transport standards backed by comprehensive implementation guides and resources like the National Library of Medicine's Value Set Authority Center (VSAC) eliminate the gaps in semantic interoperability that were an impediment to interoperability in the past.

Finally, in addition to stimulus payment incentives, Accountable Care Organizations/Value-Based Purchasing risk contracts make redundant testing a cost rather than a profit center, motivating hospitals and professionals to share data across communities.

With certified technology, standards, and incentives to share data among providers and patients, 2013-2014 will usher in a new era of interoperability.

My daughter will be 21 years old in 2014. It is my hope and belief that she will never face paper-based uncoordinated care in her adult life. With Meaningful Use Stage 2, CMS and ONC have laid the foundation to make that possible.

Thursday, December 6, 2012

This is our first winter on the farm and although we have prepared the barn, pasture, woodlot, coop, and animals for the cold weather we do not yet have Christmas traditions at Unity. This year, we have to make them.

Using local materials from local vendors, we've added garlands of white pine and fir to the barn, pasture gate and house entryway. We've hung wreaths on the sheds and added swags of juniper to our light posts.

Mistletoe kissing balls surround the front door. We've decorated a living Christmas tree in front of the house. We've added strings of Christmas lights to selected trees and woven lights into the strands of pine garland.

Our 15 acres are filled with oaks, cedars, pines, birch, and poplar. Hurricane Sandy blew over a few older, dead trees. I've cut them up and split the wood into 3 neat cords for Christmas fires in our stone hearth and wood burning stove (made in 1880).

Indoors we'll find a place to build our model New England village and create a miniature barnyard around the creche from my childhood.

A Lionel train will circle a small indoor Christmas tree that we'll harvest this weekend.

Christmas stockings for my wife and me, our daughter, my father-in-law and our animals will be hung on the chimney with care.

While we do not have reindeer, we do have a four point buck and five does living in our meadow.

Christmas dinner will include a medley of root vegetables from our cellar, Japanese pumpkin (kabocha) simmered in rice wine and soy sauce, potatoes, baked apples, homemade tofu, and blueberry pie.

Life on a farm means that gifts are practical. Warm, waterproof gloves for cold early morning work in the paddocks. A vest to break the chill of a windy day. A few woodworking tools (last year my wife gave me a splitting maul and Swedish forest axe). We make our own soaps on the farm and we'll be giving gifts that range from an oatmeal scrubbing soap to a poppy seed facial soap. I cut up a 100 year old cedar that fell in recent storms and we'll be giving blocks of its aromatic purple wood to keep moths out of closets.

The traditions we're building at Unity Farm will bond me to the place, the citizens (animal and human) living there, and the familiar rituals we create. There is something timeless about working the land and creating a celebration of the season with a loving family around you. We are defined by the experiences, good and bad, in our jobs, our relationships, and our environment. Preparing for Christmas on the Farm has healed the bad, multiplied the good, and given me the equanimity I have yearned for in 2012.

My daughter still has the silver bell she received from our ride on the "Polar Express" in New Hampshire when she was a child. We'll hang it on our first Unity Farm christmas tree and I'm confident that this season we will all be able to hear its sweet, resonant sound.

Wednesday, December 5, 2012

Over the past few months I've been talking to many industry leaders about the challenge of matching IT supply and demand. Governance committees are essential but are not enough when the number of project requests is so large that they become difficult to triage.

Objective, quantitative scoring criteria can help.

Intel has implemented a Business Value Index that is based on numerical scoring of

"We take all inbound requests, whether captured by helpdesk or in meetings. A clinical informaticist reviews the request and presents it at our scoring committee meeting, which lasts for about an hour each week. The informaticist provides a preliminary scoring, and the group either confirms it, adjusts it, or sends it back for more research. Occasionally a request will be outright denied at the meeting if it just doesn't make sense. We have an appeals process for the requestor but it is rarely used. All requests, regardless of age, are kept in a rank ordered list by priority based on score. The application teams work from the top of that list downward, and they don't pick up anything new from the list until something currently underway is completed. Lastly, we reserve some capacity for fast track (easy items) which can be done even if lower on the list."

Tuesday, December 4, 2012

Per the theme of security assessment I've been posting about, part of crafting a multi-year security roadmap is examining technologies and practices that have limited use in healthcare but are widely deployed in other industries.

Application Security Testing - Vendor applications including those with FDA 510k approval may have security vulnerabilities. Testing third party products with source code analysis tools can find defects that are missed by traditional vulnerability scanning software. Related to Application testing is third party vendor management. Testing and verifying the security of cloud hosted service providers and business associates is becoming a best practice.

Data Loss Prevention - Although many healthcare organizations have strict policies on the use of email, social networking, cloud storage, remote access, and mobile devices, it's increasingly import to have technology in place that enforces policies, preventing users from violating policy by sending data to non-secured locations i.e. sending patient information to a referring clinician who uses Gmail. Many vendors offer appliances that quarantine, notify, restrict, and manage the flow of email containing person identified information/protected healthcare information. Related to DLP is a strategy to prevent use of unencrypted storage devices - thumb drives, DVDs, CDs etc.

Adaptive Authentication - Critical applications, including email, enterprise resource planning , and clinical applications deserve increased authentication rigor. For example, if a user is not typically outside the US and suddenly logs in from an unexpected location, then the user should be challenged with an additional factor. Approaches could include a secret question or a one time PIN code sent to a known cell phone. Such applications can also perform a risk analysis of authentication events to detect anomalies, including authentication events using compromised accounts and suspect IP addresses.

As with other posts on such topics, I look forward to comments about your plans and experiences in these areas.

Monday, December 3, 2012

I've mentioned in previous blogs that BIDMC has contracted for an enterprise wide security assessment to ensure our security projects are aligned with best practices. Over the next few months I'll write several posts about the issues we've reviewed and the evolution of our thinking about security.

Today I'll start with something basic.

What is the right frequency to require passwords changes?

Many security experts and commonly used guidelines suggest a 90 day password expiration frequency.

To understand the common practices of hospitals in Massachusetts, I asked many of my peer CIOs about their password change policies. The answer - some organizations are at 9 months, some are at 6 months, and some are at 3 months. One is at 4.5 months - a compromise between 3 months and 6 months.

Two questions we need to answer before crafting the ideal policy.

1. Does changing passwords frequently actually increase security?

2. What is the impact of frequent password changes on the user experience (especially for smartphone and iPad users)

For question 1 - The benefit of requiring a more frequent change to passwords has been the topic of debate within the IS community for years. While many experts claim shortening the period reduces risk, others argue the opposite because users cannot remember frequently changed passwords and write them on post it notes which they affix to their work area.

Here are three references which suggest that increasing password frequency reduces security.

For question 2 - Frequent password changes can be challenging for users of mobile devices. Generally, something like this happens

You change your password via a desktop application
Your iPhone and iPad try to synch email before you can change the password on them
Your account is locked out for 20 minutes
You try to change your password on your mobile devices but you cannot because of the lock out
You call the IS help desk and they remove the account lock but you spent two hours trying to change the password on all your mobile devices before the account is locked again, calling the help desk several times.

I'm sure there is an ideal way to do this i.e. turn off all the cellular and network connections on your mobile devices and change your password via a desktop application. Then, change them on your mobile devices before reimplementing wireless network connections.

Regardless, doing this every few months will increase help desk support call volume and user frustration.

A side effect of creating a suboptimal user experience is that users will stop using tightly controlled corporate applications and instead access consumer grade technology such as Gmail, Dropbox, and text messaging, increasing risk and ultimately reducing security.

As a next step, we'll ask our multi-stakeholer IS Security and Privacy Committee to review the literature (pro and con) about frequent password changes. They'll evaluate the risks and benefits of various password change frequencies and then we'll select a path forward which hopefully balances the risks of infrequent password changes and too frequent password changes.

Just as I asked about remote access, I welcome your comments about your password expiration frequency policies and experience.

Friday, November 30, 2012

Last week I had dinner with the CEO of a very successful software company. He told me that 30% of all downtime for his products was caused by anti-virus software.

Given the sophistication of today's malware, it's clear that a new approach is needed to anti-virus software.

Intel introduced a virtualization component to their chipset a few years ago. When they acquired anti-virus company McAfee, they collaborated to leverage their "VT-x" chipset to catch advanced persistent threats and root kits, both of which run at the same privileged level as the typical anti-virus products. The VT-x chip enables a security monitoring process which runs at a low level in a very highly privileged status in the chip. It can monitor CPU and memory state changes and flag, quarantine or stop anything it sees as suspicious. All new Intel-based, Windows 7 machines include this capabilities. Here's a white paper about it.

For those of us who live in the trenches of information technology, malware and root kits are the bane of our desktop management staff because they cannot be cleaned with existing standard antivirus software and require re--imaging the machines.

Thursday, November 29, 2012

Running a farm with 50 animals is like having 50 children. There are going to be bumps and bruises, stumbles, and occasionally serious injury.

Last week, one of Guinea Fowl, named Piebald (because he's a patchy blend of black and white) flew into the male alpaca area which is guarded by our Great Pyrenees Mountain dogs, Bundle and Shiro. Normally our dogs ignore our birds, since the dogs have lived with the poultry for most of their lives. Piebald ran around the inside of the pasture fence and his fluttering attracted the dogs. They wanted to "play" with Piebald by "fetching" him. Within seconds of this happening, I ran to the pasture, body slammed the dogs to the ground with a sharp NO, indicating that eating a fellow citizen of Unity Farm is unacceptable behavior.

My wife picked up Piebald and began walking him back to the coop. A few of his tail feathers were missing, his head had a few spots of blood, and he looked a bit traumatized but otherwise intact. On the way back to the coop, he jumped from her hands and ran straight into the forest surrounding our farm. Kathy and I spent an hour looking for him to no avail. As darkness fell, we suspended our search.

The next morning he reappeared in the coop, looking out of sorts. That afternoon he disappeared again and spent the night in the forest.

The following day, he reappeared in the coop but his affect was very submissive. Previously Piebald was high on the pecking order. Now, he was being pecked at by his subordinates. He lost his mojo.

He spent the day running away from the other Guineas and losing various pecking order battles.

His wounds had healed and he was eating/drinking vigorously. He stayed in the coop overnight but slept with the chickens.

The next day he began cruising the property with the other guineas. He regained his upright posture and assertiveness.

Today he's been leading the pack once again, completely comfortable with being a leader of Guineas. He's regained his stature.

Every day is an adventure at Unity Farm. You never know what interpersonal dynamics will develop with the alpacas, llama, guineas, chickens, and dogs. You never know who will squabble, who will have an injury/illness, and who will develop new behaviors. If it wasn't for the rigors of being a CIO, I could spent the day watching the events of the barnyard - far more interesting than Fox News or CNN.

We've had life and death on the farm, sickness and health on the farm, joy and sorrow on the farm. At the moment, everyone is healthy, happy, and knows their place in the pecking order.

As we prepare for the Christmas on the farm, it's good that our citizens are all at peace in their community.

Wednesday, November 28, 2012

As I travel the country, I find that CIOs everywhere are struggling with BYOD in particular but remote access more generally. Who is responsible if

A personal unencrypted laptop with email containing personally identified/protected healthcare information is stolen? The CIO of the institution providing email takes accountability and reports the theft to appropriate government regulators.

An employee prints a web page on their home computer and patient data is discovered blowing around in a nearby dump? The CIO of the institution hosting the patient data is responsible.

An employee with a malware infected but encrypted smartphone accesses a web application and a keystroke logger sends the username/password to hackers in Asia who use it to send spam. The CIO is responsible for all the consequences.

Policy against using personal laptops, home desktops, and smartphones for processing of healthcare data is not sufficient. CIOs must use technology controls to mitigate risk of data loss.

For example, BIDMC has already used AciveSync to enforce encryption of every smartphone accessing our network and to deny access to those smartphones that do not support encryption.

Personal laptops and home desktops are much harder to control. Purchasing institutionally supported laptop/desktop devices for every user needing remote access would be cost prohibitive.

Rather than try to manage the home clients that have multiple varieties of hardware, operating systems, and third party apps, it's more practical to impose restrictions on who can access resources remotely, where they can access resources from, and what they can do (block downloads and printing). Solutions I've heard from industry experts include

1. ActiveSync as the only means of smartphone email access with a configuration to require encryption of client devices. Use Outlook Web Access as the only laptop email access method and close all other types of remote email access - WebDav, Web Exchange Services, and RPC over HTTPS, IMAP, POP
2. SSLVPN for all remote access to all applications (including web portals) with configuration settings to prevent remote downloads and printing
3. Citrix or Virtual Desktop Infrastructure, which typically does not persist data on local clients.

I've described security as a continuous improvement process - the journey is never done. I'm curious what you are doing to restrict remote access in a world of malware, BYOD, and enhanced regulatory enforcement. Comments are welcome!

I was asked an interesting question about the transition from Stage 1 to Stage 2.

The Stage 2 Final Rule notes that as of 2014, any provider or hospital attesting to Stage 1 must use Stage 2 certified technology. Since the capabilities of Stage 2 certified technology are different than Stage 1, the nature of meaningful use changes for those who begin the program late.

The details of the changes to Stage 1 Core and Menu set objectives over time is summarized in this excerpt from the Stage 2 final rule.

A summary table of the effects is below, illustrating that the number of objectives changes as the certified technology changes. I hope you find this useful.

Thursday, November 22, 2012

Today was our first Thanksgiving at Unity Farm. Although I've discussed the farm in detail, I've not described the home. We live at the farm in a house adjacent to the pasture. My father-in-law lives in the in-law wing, we live in the first floor. and our daughter has an area on the second floor.

The entire family selected vegetables from the farm and surrounding farms, then spent the day peeling, chopping, and preparing a vegan feast. Just about everything but the Tofurkey was grown on the farm or within a mile of it. We had

Wednesday, November 21, 2012

2012 has been a year of joys and sorrows. My wife had breast cancer, my mother broke her hip, my cat died of pancreatic cancer, I left my CIO role at Harvard Medical School to focus on BIDMC's emerging accountable care organization, and moved/consolidated two families from suburban houses into Unity Farm.

Some would consider this amount of change and challenge to be overwhelming.

I think of them as transformative.

It may sound strange to quote Marilyn Monroe when reflecting on Thanksgiving, but her words are appropriate:

“I believe that everything happens for a reason. People change so that you can learn to let go, things go wrong so that you appreciate them when they're right, you believe lies so you eventually learn to trust no one but yourself, and sometimes good things fall apart so better things can fall together.”

Without the catalyst of my wife's cancer diagnosis, we would not have sold our home and purchased the farm at a time when market conditions were ideal for both transactions.

My mother's hip fracture enabled us improve their house for accessibility and reconcile her medications.

My cat's unexpected illness educated us about animal care at a time when we took on the responsibility for 50 chickens, llamas/alpacas, and guinea fowl.

My job consolidation enabled me to channel all my passion and energy into healthcare information exchange at the federal, state, and local level such as the Massachusetts Golden Spike event.

Unity Farm has provided a healing environment for everyone in the family and the memories of the work required to sell two houses, close my wife's gallery and move her studio to the farm is fading fast.

BIDMC was ranked the #1 IT organization in America this year. We were the first hospital in the country to attest to meaningful use and receive stimulus funding. We achieved all our FY12 application and infrastructure goals.

Regardless of the events of any given day, temporary crises or urgencies pale in comparison to the well being of people. As we approach Thanksgiving 2012, all the people in my world are good.

My wife and daughter are happy. My parents are healthy. My Federal and State colleagues are working hard on challenging projects they enjoy. My BIDMC teammates are making a huge difference during the most exciting time in the history of healthcare IT. The citizens of Unity Farm are loved and well cared for.

In 2012, the events of each day were sometimes negative, but the trajectory for the year has been overwhelmingly positive.

As I tell my daughter, it's unclear what the endpoint will be, but as long as the journey along the way is the best you can make it, everything will be ok.

After all the events of the past year, I remained convinced that the future will be bright.

Tuesday, November 20, 2012

I'm often asked if the use of EHRs diminish clinician-patient interactions in the exam room.

At BIDMC, Jan Walker and Tom Delbanco have done focus groups with patients about technology. Generally, they found that patients will embrace technology that gives them access to information about their care. At BIDMC, where we have both a patient portal and Wi-Fi throughout the hospital, doctors often arrive at the bedside to find a patient viewing lab results on an iPad, ready with questions about their tests.

The literature studying outpatient offices with computers in the exam room suggest computers do not get in the way as long as clinicians are facile with them and maintain eye contact with patients.

Here are three articles:

"The examination room computers appeared to have positive effects on physician-patient interactions related to medical communication without significant negative effects on other areas such as time available for patient concerns. Further study is needed to better understand HIT use during outpatient visits." J Am Med Inform Assoc. 2005;12:474–480. DOI 10.1197/jamia.M1741.

"Studies examining physician EHR use have found mostly neutral or positive effects on patient satisfaction, but primary care researchers need to conduct further research for a more definitive answer." J Am Board Fam Med 2009;22:553–562.

"With the implementation of the electronic medical record—called HealthConnect—in all exam rooms throughout the Kaiser Permanente health care delivery system, how computers in the exam room affects physician-patient communication is a new concern. Patient satisfaction scores were obtained for all primary and specialty care physicians in a large medical center in Southern California to determine how scores changed as physicians started using HealthConnect in the exam room. Results show no significant changes in patient satisfaction for these physicians. Although concerns were not realized that patient satisfaction might decrease after HealthConnect was introduced, there was also no evidence that introducing an electronic medical record in outpatient clinics increased patient satisfaction." The Permanente Journal / Spring 2007/ Volume 11 No. 2

Clinicians have different approaches to the use of technology in the exam room - iPads, typing into a laptop, or just taking notes then entering data outside of the exam room. When clinicians and patients work together to ensure safe, accurate, and timely record keeping, everyone wins. Certainly, there may be awkwardness when clinicians struggle with new technology and patients perceive a change in attentiveness. However, it is highly likely that as clinicians spend their entire practice lives using EHRs and all patient records are recorded in EHRs, that this awkwardness will disappear. Just as mobile devices have replaced newspapers and magazines as the favored way for adults to access media, the EHR and PHR, as well as the processes needed to use them, will become a standard part of every clinical encounter, supporting rather than detracting from the patient experience.

Monday, November 19, 2012

At the November HIT Standards Committee we discussed the draft Meaningful Use Stage 3 Request for Comment (RFC), which includes a measure relating to query for a patient's record. The RFC suggests an exchange of authorization language to be signed by the patient in order to allow retrieval of the requested information. Discussion elicited the suggestion that perhaps patient consent preferences might be included as metadata with the data exchanged so that the patient approved uses of the data - treatment/payment/operations, clinical trials, transmission to a third party - could be respected.

After the meeting, Dixie Baker proposed a simple, scalable and powerful approach to avoiding the necessity of either exchanging authorization language for signature, and the complexities involved in exchanging patient preferences as metadata. Her suggested approach draws from both the CAML idea with the metadata idea, but simplifies privacy-management for both consumers and providers, while offering the kind of scalability needed for the dynamic, collaborative healthcare environment we envision.

Imagine that instead of having to fill out a new privacy-preferences form at each encounter, the consumer could select and manage her preferences with a single entity, and at every other encounter, would need only provide the URI to where her preferences were held. Then, upon receipt of a request for her health information, an EHR would only need to query the privacy-management service at the URI she provided to determine whether the request could be honored. Her preferences would be captured as structured, coded data to enable query, without having to exchange a complete "form" in order to adjudicate an access request. Per the CAML idea, this XML could include queryable preferences about what data the patient consents to exchange with whom and in what circumstances. This set of privacy preferences could be maintained by the patient and would include such concepts as institution-level permission to share data with partner insitituions, permission to send data using a health information exchange organization, and approval to use data for certain types of research.

Instead of sending these preferences with the data itself, the metadata header in Consolidated CDA summary exchange would include a Uniform Resource Identifier (URI) that points to the privacy-management service where the patient's privacy preferences are held.

This simple idea - represent patient's privacy preferences/consents in query-able XML at a specific URI - enables an entirely new approach to health information exchange, while making it easier for consumers to make meaningful choices, and manage them over time.

For example

1. A hospital is "pushed" a patient record from a primary caregiver. The hospital wants to push that data to a specialist. Before any data transfer is done to an outside organization, the URI is retrieved from the metadata and the patient's current consent preferences are applied to the data exchange.

2. An emergency department wants to pull data from multiple data sources to ensure safe, quality, efficient care of an unconscious patient. The URI of service holding the patient's privacy preferences is available from the state HIE, and the data is retrieved from various sources per the patient's preferences.

3. At discharge, the patient's information is to be pushed to the patient and the primary caregiver/referring clinician per meaningful use stage 2 requirements. Before the push happens, the patient's URI is checked for current data exchange preferences.

Thursday, November 15, 2012

One of the most important aspects of choosing a farm property is the community around you
* What is the zoning?
* How will your neighbors react to wandering guinea fowl or an escaped llama?
* Are there other farms nearby?

For our farm, we chose Sherborn, a very agriculturally friendly town just west of Boston.

The Sherborn town bylaws indicate that no agricultural pursuit can be restricted. Of course, various wetland restrictions and environmental controls apply, but if we wanted to raise ostriches and emus on our 15 acres, we could. Our land was previously a 200 acre farm and our only current neighbors are a 55 acre apple orchard and a 15 acre property used for horse rescue/mini-donkeys. Those neighbors admire and support our livestock.

But what about nearby farms?

This week, we ate foods gathered or purchased from our farm and surrounding farms (photo above).

The western border of our property is the Dowse orchard. At the Dowse Orchard Farm Stand we purchased:
Romaine and red leaf lettuce
Field broccoli
Apples (Mac, Cortland and Empire)
Local seasonal pies
Fresh pressed apple cider

Just over the hill from us is a 1700's dairy farm - the Sunshine Farm.
We purchased:
Field turnips
Field carrots
Field onions
Homemade sweet corn veggie pizza

Just down the street from us is the Sweet Meadow Farm where we purchased sugar pumpkins and grain/hay for our animals.

At our own Unity Farm, we gather 8 eggs per day from our chickens. This season we grew eggplant, garlic, onions, and potatoes in our raised beds. In our kitchen garden we grew parsley, sage, rosemary and thyme. We planted our own apple orchard and will be planting an acre of high bush blueberries in the Spring. We're building a 20 foot x 72 foot hoop house that will enable us to grow year round produce.

Wednesday, November 14, 2012

When I was 13 years old, the Altair 8800 appeared on the cover of Popular Electronics. By 16, I was building enough hardware and software that I achieved the Malcolm Gladwell 10,000 hours of competency by age 18. By 19, I founded a company that produced tax calculation software for the Kaypro, Osborne, and new IBM PC. Every week in the Silicon Valley of the early 1980's brought a new startup into the nascent desktop computer industry.

To me, we're in a similar era - a perfect storm for innovation fueled by several factors. Young entrepreneurs are identifying problems to be rapidly solved by evolving technologies in an economy where existing "old school" businesses are offering few opportunities.

This pace of innovation reminds of that time 30 years ago when Sand Hill Road was just beginning its evolution to the hotbed of venture investing it is today.

Who are these new entrepreneurs and what kind of work are they doing? Tonight I'll be introducing Lissy Hu and Gretchen Fuller.

Lissy Hu is passionate about helping patients find the right care. Her clinical experiences at leading Boston and New York hospitals have shown her first-hand the frustrations her patients and their families face when finding after-care. Lissy previously worked on a Medicare demonstration project involving transitions in care for 3,000 medically-complex patients. She is currently on-leave from the Harvard Medical School and Harvard Business School joint-degree program. Lissy hopes to leverage her clinical and business insights to engage in social entrepreneurship and tackle healthcare’s most challenging problems. Lissy graduated from Columbia University Phi Beta Kappa, Summa Cum Laude, and with Honors in her major.

Gretchen Fuller is committed to improving healthcare quality and communication amongst providers and patients. At Harvard Medical School, she co-directed a student group (Improvehealthcare.org) dedicated to improving medical school education on healthcare policy: this organization was responsible for creating course material that is now part of a mandatory Health Policy course. She spent the last year spearheading three healthcare quality investigations at 5 hospitals in Buenos Aires, Argentina, including projects on problematic patient handoffs, barriers to the use of surgical checklists, and medical school curricula on patient safety. Gretchen graduated Cum Laude in Biology at Harvard University, where she also captained the Division I Field Hockey team.

They will be presenting CarePort, a software startup improving patient transitions from hospitals to post-acute care providers though an easy-to-use online booking engine.

As I know well from my mother's recent hip fracture, many patients require additional care after a hospital stay. The current process of discharging patients to post-hospital care providers is complex, confusing, and cumbersome. Careport connects patients, hospitals, and care facilities directly. Patients and their families, along with hospitals, can search for care facilities that meet their clinical needs and book reservations immediately. Careport also tracks patient care in the hospital and post-acute care settings and communicates critical clinical information back to primary caregivers, thereby ensuring effective care coordination. Careport identifies variables driving medical complications, readmissions, and patient satisfaction.

I am convinced that Meaningful Use Stage 2, with its focus on increased interoperability, and Meaningful Use Stage 3, with its proposed enhancements to patient and family engagement, will accelerate the demand for products like Careport. Modular certification will make it much easier for young entrepreneurs to make their products part of the physician and hospital software set used for attestation.

It's an exciting time to watch the creativity of the next generation fixing healthcare. With Techstars, Rock Health, Healthbox and other incubators/accelerators combined with Datapaloozas and innovation competitions, I'm convinced the breakthroughs we need in healthcare process improvement will be invented by the twenty-somethings and not mid career professionals in established companies.

So immerse yourself in advising and mentoring these people. Tonight, I will be.

Tuesday, November 13, 2012

The 42nd meeting of the HIT Standards Committee began with an inspirational introduction from Farzad Mostashari. He told us that the HIT Standards Committee members should keep their "eyes on the prize and feet on the ground". We should be aspirational in reviewing the Meaningful Use Stage 3 criteria, identifying standards recommendations for 2016 which are likely, which are possible with focus, and which are unrealistic. We should not be intimated by all the ideas in the Meaningful Use Stage 3 request for comment, but realize that unless all ideas are considered, we'll regret not thinking broadly about important safety, quality, and efficiency improvements. As the request for comments process progresses, the doable priorities will emerge. The public release of the Stage 3 request for comment will occur later this week, with comments due in January.

Michelle Nelson, ONC Meaningful Use Workgroup Lead, presented the Meaningful Use Stage 3 recommendations, assisted by Doug Fridsma and Jodi Daniel. We reviewed the Stage 3 recommendations line by line, noting that the Policy Committee had included some data exchanges that the Standards Committee suggested were unlikely to occur by 2016. Although most of the Standards Committee advice was incorporated, the Policy Committee felt some goals were so important they were worth pushing. Overall, the Standards Committee commented that the Meaningful Use Stage 3 recommendations need to be grouped into common policy goals, be less workflow prescriptive and more outcomes oriented, take into account the burden of implementation, and focus on a few significant improvements to EHRs that would accelerate several goals. For example, if all EHRs became QueryHealth compliant then clinical trials, quality measures, and population health reporting would all be simplified. As a next step, ONC will reorganize the Stage 3 material into policy clusters and themes for assignment to the Standards Committee for detailed standards recommendations.

Next, Dixie Baker presented a Privacy and Security Workgroup Update regarding security and privacy criteria for modular EHR certification. Their concern is that without security and privacy guidelines, we could end up with a module that weakens protections and data integrity of the enterprise. Dixie suggested several paths forward and the Committee decided that Modular EHRs should be required to demonstrate compliance with the Meaningful Use security criteria by either including features within the module or by making calls (standards-based or non-standards based) to other applications which provide the needed security.

Doug Fridsma provided an update on S&I Framework projects and focused on the Automate Blue Button initiative to support patient "subscription" to their healthcare data or automated requests for delivery of their data.

Kate Goodrich from CMS provided an overview of efforts to "re-boot" Clinical Quality Measures by
*Eliminating abstracting and skip methods that based on paper
*Using new measures that are EHR-based, not old measures that are retooled to work with EHRs
*Reducing complex exclusionary criteria in numerators and denominators
*Consolidating measures across various programs - ACO, PQRS, CMS Core etc.

We then heard three presentations that are part of efforts to simplify future stages of Meaningful Use by providing national infrastructure.

Ivor D'Souza from the National Library of Medicine presented the Value Set Authority Center , which is now open for business. This valuable resource provides downloadable/searchable vocabularies and code sets that support Meaningful Use Stage 2.

Monday, November 12, 2012

Later this week, I'm joining a healthsystemCIO.com webinar about security and health information exchange.

A theme I discuss frequently in my keynotes and lectures is the current regulatory challenge which suggests we should engage patients/families, share data for care coordination in accountable care organizations, and use registries to analyze population health/public health all while keeping the data security and respecting patient privacy preferences. It's a tall order.

As I've posted previously, BIDMC hired Deloitte to perform a security assessment of our policies and technologies. Going through the assessment has given me a great opportunity to review the security standard practices in the healthcare industry and the best practices across all industries.

At the same time, we're passionate about healthcare information exchange technologies for provider/provider summaries and patient/provider communications (portals, automated blue button, and state hie connections to patients).

Here are the slides I'll use in the webinar, illustrating that it possible to secure the enterprise and at the same time use Direct-enabled, certificate protected, health information exchange with patients, providers, and payers.

The most secure library in the world would not check out any books - it would be a secure but useless library. We must protect privacy and at the some time share information. It is possible to achieve a balance that does both.